package com.bootdo.system.config;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import com.bootdo.common.config.SecuityConfig;
import org.apache.commons.lang3.StringUtils;

public class XssAndSqlFilter implements Filter {

    @Override
    public void destroy() {
        // TODO Auto-generated method stub
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        String method = "GET";
        String param = "";
        XssAndSqlHttpServletRequestWrapper xssRequest = null;
        //TODO 除了HttpServletRequest 还有可能是什么
        if (request instanceof HttpServletRequest) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;

            StringBuffer requestURL = httpServletRequest.getRequestURL();

            String requestURI = httpServletRequest.getRequestURI();
            System.out.println("requestURL="+requestURL);
            System.out.println("requestURI="+requestURI);

            String referer = httpServletRequest.getHeader("Referer");
            if(referer==null){
                //允许登录页面
                if(!checkNullReferer(requestURI)){
                    response.setCharacterEncoding("UTF-8");
                    response.setContentType("application/json;charset=UTF-8");
                    PrintWriter out = response.getWriter();
                    out.write("您所访问的页面请求中有违反安全规则元素存在，拒绝访问!");
                    return;
                }
            }else if(!referer.startsWith(SecuityConfig.getSecurityReferer())){

                response.setCharacterEncoding("UTF-8");
                response.setContentType("application/json;charset=UTF-8");
                PrintWriter out = response.getWriter();
                out.write("您所访问的页面请求中有违反安全规则元素存在，拒绝访问!");
                return;

            }

            method = httpServletRequest.getMethod();
            xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request);
        }
        if ("POST".equalsIgnoreCase(method)) {
            param = this.getBodyString(xssRequest.getReader());
            System.err.println(param);
            if(StringUtils.isNotBlank(param)){
                if(xssRequest.checkXSSAndSql(param)){

                    response.setCharacterEncoding("UTF-8");
                    response.setContentType("application/json;charset=UTF-8");
                    PrintWriter out = response.getWriter();
                    out.write("您所访问的页面请求中有违反安全规则元素存在，拒绝访问!");
                    return;

                }
            }
        }
        if (xssRequest.checkParameter()) {

            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json;charset=UTF-8");
            PrintWriter out = response.getWriter();
            out.write("您所访问的页面请求中有违反安全规则元素存在，拒绝访问!");
            return;

        }
        chain.doFilter(xssRequest, response);
    }

    private boolean checkNullReferer(String requestURI) {
        String contextPath = SecuityConfig.getContextPath();
        if("/".equals(contextPath)){
            contextPath = "";
        }
        if(requestURI == null){
            return false;
        }
        if(requestURI.indexOf("/login;JSESSIONID=") > 0){
        	return true;
        }
        if(requestURI.equals(contextPath) || requestURI.equals(contextPath+"/")
                || requestURI.equals(contextPath+"/login")
                || requestURI.equals(contextPath+"/login/")
                || requestURI.equals(contextPath+"/index")
                || requestURI.equals(contextPath+"/index/")){
            return true;
        }else{
            return false;
        }

    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub

    }

    // 获取request请求body中参数
    public static String getBodyString(BufferedReader br) {
        String inputLine;
        String str = "";
        try {
            while ((inputLine = br.readLine()) != null) {
                str += inputLine;
            }
            br.close();
        } catch (IOException e) {
            System.out.println("IOException: " + e);
        }
        return str;

    }

}